CISM in 2 weeks

I'll be there on June 11. Just finished reading the book today so I'll pretty much just be perusing the material on IEEE's site and taking practice tests from now until go time. Has anyone used ISACA's practice exam engine? Are your scores on the practice exams pretty telling of how you will do on the actual exam?

Find more posts tagged with

Comments

colemic

I have been using the CISA practice exam engine since February and have yet to score higher than a 66. Arcane, and total hairsplitting. Super frustrating. A lot of that though is my own fault, not reading the question thoroughly enough. But whoever wrote the majority of those questions was a prick.

colemic

Case in point:

While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?

A. A scan of all floppy disks before use

B.A virus monitor on the network file server

C.Scheduled daily scans of all network drives

D.A virus monitor on the user's personal computer

I answered A. which was incorrect. The correct answer is D. The explanation given:

Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system.The term “monitor” means, by definition, that the antivirus programs are actively looking for viruses. Most current antivirus systems perform real-time monitoring when a file is imported from a “floppy” disk into a computer system. The most effective way to DETECT a virus would be through real-time antivirus monitoring at the user's desktop. This would detect the virus before it was transferred to the system/network. Most antivirus systems will prompt the user as to whether the user wants to continue the transfer or to eradicate the virus. So the MONITORING functions are separate from the PREVENTIVE controls implied in the answers. Further, if the information was transferred from the floppy disk to a local PC, as is the case in most circumstances, a scheduled daily scan of “network” drives won't detect the virus because personal drives (choice C) are not backed up to a network drive.

Do I need to even comment on how wrong this is? (If you think they are correct, please explain it to me. I fail to see how a user's personal computer comes into this at all, as the question certainly did not indicate that the disk was brought from home.)

It is driving me crazy!!!

colemic

Another winner:

An IS auditor observed brute-force attacks on the administrator account. The BEST recommendation to prevent a successful brute-force attack would be to:

A.increase the password length for the user.
B.configure a session timeout mechanism.
C.perform periodic vulnerability scans.
D.configure a hard-to-guess username.

I answered A, and the correct answer is D. Explanation:

Knowledge of both a username and password is required to successfully compromise an account using brute-force attack. If a username is guessable, brute-force attacks are much more feasible. Increasing the password length is not as good as having a username that cannot be discovered. Session timeouts do not prevent unauthorized access. Vulnerability scans typically test for default usernames and passwords, but do not prevent brute-force attacks. Performing periodic vulnerability scans is a good detective control, but does not prevent brute-force attacks.

Hm. I was under the impression that it was always much, much easier to obtain user names than passwords.

ChooseLife

Without peeking at the right answers, I chose "D" for both. In both cases I was deciding between "A" and "D".

The reason for picking "D" over "A" in the first one was that "A" could be read as if the floppies were scanned once at the very beginning of usage (before virus infected them). "D" seemed to have only one way to read it and looked correct.

The reason for picking "D" over "A" in the second one was more explicit. "Administrator" in the question hinted at the best-practice of renaming administrator accounts, which drastically decreases likelihood of successful blind brute-force attack (one where username is unknown). Increasing password length does not sufficiently increase protection against brute-force to be called prevention.

colemic

Only got a second, but the first one - why did you assume that he brought the disk from home/used it on his personal computer? The explanation calls it a desktop and (to me) implies it is a work PC. I ruled out D because I try to be cognizant of using the information given and I didn't see where it had anything to do with a personal PC.

JDMurray

The first question a good example of an exam item with two correct answer options, but one is slightly more correct than the other.

In the first question, a local A/V scanning program present on a workstation does also scan all floppy disks before use. So choosing D is implying also using the solution in A, but choosing A is not necessarily implying also using the solution in D.

I'm sure the people sitting around a big table group-writing that exam item probably talked themselves into accepting it using the this same logic.

In the second question, both strong passwords and hard-to-guess user names are correct solutions, but enforcing a longer password doesn't mean the user will be using a stronger password (e.g., is "1234512345" really less crackable than "12345"?)

I'm guessing D is correct because there are "password guessing" programs but no "user name guessing" programs. Account cracking programs actually need to know the name of the account you are breaking in to, but not the password. Having very complex account names that are kept confidential would make brute-force login attacks very difficult.

I actually choose C because I want to know what accounts have passwords that are most vulnerable to a brute-force password guessing attack.

shaqazoolu

Hmmmm....I got both of them right. Perhaps I should take the CISA next?

ChooseLife

colemic wrote: »

why did you assume that he brought the disk from home/used it on his personal computer?

I did not think the disk was brought from home, but I did assume he used it on his personal computer. The virus had to have an entry point to the system, and the most likely way for a user to introduce it is through their PC/desktop. This is because normally users only have physical access to PC's, not network file servers.

colemic

JDMurray wrote: »

I'm sure the people sitting around a big table group-writing that exam item probably talked themselves into accepting it using the this same logic.

When I do an audit, having weak passwords is a high-risk finding. (very few, if any, exceptions.) Not changing the default administrator account name is always considered a low-risk finding. I am sure that influenced my (wrong) answer.

I think you hit the nail on the head regarding sitting around a table and talking themselves into it. I just expected this certification exam to test knowledge, not semantics, and to me, that is clearly not the case.

shaqazoolu

colemic wrote: »

When I do an audit, having weak passwords is a high-risk finding. (very few, if any, exceptions.) Not changing the default administrator account name is always considered a low-risk finding. I am sure that influenced my (wrong) answer.

I think the perspective that the CISM attempts to instill in those that take it is not that you ding someone for not changing default administrator usernames. The solution to this problem is NOT to simply go and just start changing all of the administrative usernames to make them harder to guess. To me, the purpose of the CISM is to teach you how to look past that. In this case, changing the defaults would be a very short term, non-comprehensive solution. The REAL solution is to identify the fact that either:

1. Their system hardening procedures don't exist
2. They have system hardening procedures but they don't consider changing default usernames
3. They have awesome system hardening procedures that consider this, but they aren't being followed.

If the problem is #3, then you could turn that into the need for a more comprehensive security awareness training program, and so on.

cabrillo24

colemic wrote: »

Another winner:

An IS auditor observed brute-force attacks on the administrator account. The BEST recommendation to prevent a successful brute-force attack would be to:

A.increase the password length for the user.
B.configure a session timeout mechanism.
C.perform periodic vulnerability scans.
D.configure a hard-to-guess username.

I answered A, and the correct answer is D. Explanation:

Knowledge of both a username and password is required to successfully compromise an account using brute-force attack. If a username is guessable, brute-force attacks are much more feasible. Increasing the password length is not as good as having a username that cannot be discovered. Session timeouts do not prevent unauthorized access. Vulnerability scans typically test for default usernames and passwords, but do not prevent brute-force attacks. Performing periodic vulnerability scans is a good detective control, but does not prevent brute-force attacks.

Hm. I was under the impression that it was always much, much easier to obtain user names than passwords.

Increasing the password length doesn't guard against a brute force attack, password complexity does, so answer A. is thrown out the window.

Focus on the context of the question itself and know it's extremely literal in it's questioning. ISACA is seeking the BEST answer in what it's asking.

cabrillo24

colemic wrote: »

Case in point:

While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?

A. A scan of all floppy disks before use

B.A virus monitor on the network file server

C.Scheduled daily scans of all network drives

D.A virus monitor on the user's personal computer

I answered A. which was incorrect. The correct answer is D. The explanation given:

Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system.The term “monitor” means, by definition, that the antivirus programs are actively looking for viruses. Most current antivirus systems perform real-time monitoring when a file is imported from a “floppy” disk into a computer system. The most effective way to DETECT a virus would be through real-time antivirus monitoring at the user's desktop. This would detect the virus before it was transferred to the system/network. Most antivirus systems will prompt the user as to whether the user wants to continue the transfer or to eradicate the virus. So the MONITORING functions are separate from the PREVENTIVE controls implied in the answers. Further, if the information was transferred from the floppy disk to a local PC, as is the case in most circumstances, a scheduled daily scan of “network” drives won't detect the virus because personal drives (choice C) are not backed up to a network drive.

Do I need to even comment on how wrong this is? (If you think they are correct, please explain it to me. I fail to see how a user's personal computer comes into this at all, as the question certainly did not indicate that the disk was brought from home.)

It is driving me crazy!!!

Virus scanning software quarantines and cleans viruses (which is a corrective control), whereas the question is asking what method is best for "DETECTING".

colemic

cabrillo24 wrote: »

Virus scanning software quarantines and cleans viruses (which is a corrective control), whereas the question is asking what method is best for "DETECTING".

OK, I'll accept your logic on the first one. But the second -doesn't virus scanning software have to detect before it quarantines and cleans viruses, thus making it a detective control as well as a corrective control?

I get what you are saying about taking the question literally - but in this case, to answer the question correctly, you have to assume that the user brought the disk from home, which, when I originally read the question, did not assume to be true, since it was not explicitly stated.

I just don't see the value in these kinds of questions. I have NEVER EVER EVER been as frustrated studying for a test as this, and I thought the CISSP had the market cornered on the 'choose the BEST answer' category. ISACA blows them out of the water in that regard. The cert won't hold much personal value for me if all I feel I conquered was semantics, instead of proving relevant knowledge.

Thank God it will be over in a week regardless.

cabrillo24

colemic wrote: »

OK, I'll accept your logic on the first one. But the second -doesn't virus scanning software have to detect before it quarantines and cleans viruses, thus making it a detective control as well as a corrective control?

I get what you are saying about taking the question literally - but in this case, to answer the question correctly, you have to assume that the user brought the disk from home, which, when I originally read the question, did not assume to be true, since it was not explicitly stated.

I just don't see the value in these kinds of questions. I have NEVER EVER EVER been as frustrated studying for a test as this, and I thought the CISSP had the market cornered on the 'choose the BEST answer' category. ISACA blows them out of the water in that regard. The cert won't hold much personal value for me if all I feel I conquered was semantics, instead of proving relevant knowledge.

Thank God it will be over in a week regardless.

Remember, this isn't necessarily a technical exam, rather understanding the scope of auditing in a business environment.

Remember with virus scanning software, it is used to remove viruses (automatically moving them into quarantine for later action). The question isn't asking what you should generally do as security professional, rather what is the best way to DETECT a virus (not how to prevent/correct). What if virus monitoring software suspects that a file is a possible virus, but upon review, you determine that it's simple a false positive with no further action needed to be taken. Whereas if you were to run a virus scanner against it, and it extracts something that makes whatever file on there unusable (now we are talking about ruining integrity and availability).

I'm not saying that I would chose a virus monitoring option over a virus scanning option in real world practice. The question specifically states "DETECTING" not "CORRECTING". Hope that clears any confusion.

phatsacks

Very true, and in fact, no test truly contains all the best ways, or even correct information. This is a pretty good certification, and you are in their world when testing.

For the CISA I read most of the book, then got short on time, and spent the last few days doing the sim tests from their CD/download. Basically the same approach this time, except I actually read the CISM, and feel like it is a shorter book.

The commonalities of the questions were already slightly addressed. However, below is what seems apparent to me:

If the question asks about the best way, or best factor for success, and an option has to do with the support from senior management, then always go with the senior management support.
1. Remember who is part of the steering committee. Even though the Chief whatever may be the best choice, that person is most likely a member of that committee and it also includes other organizational representatives.
2. The Board of Directors is the "ultimately" responsible group. Sh*t may roll down hill, but the shareholders will start with them.
For Incident Response - People/safety come first, then the needs of the business.
1. Keep in mind the differences between BIA and Risk Assessments.
Business owners will always understand the business better than the IT Security Manager. Data owners classify data, and authorize access to their data, while the security manager is the one who defines the classification schema, and the custodians ensure the data is protected according to the classification level.
As mentioned, stop and think when it is a control question, and ask yourself "is this a detective, preventative, or corrective question?" and do the same with the possible answers.

Remember to get the best sleep possible. I know that it seems obvious, but there is a lot to be said about REM sleep and retaining knowledge (versus short-term memory loss). I cannot mention breakfast, since all meals put me in a food coma; I eat a small snack.

Unless you are extremely confident, or nervous about answer changes, then do not leave the exam early. Take the time you are given. Go back over ones you have marked, and apply the same rational above (and your own), and see if something clicks. You will often have about 5 questions answer themselves due to other questions containing the information.

Lastly, good luck, and worst case you take it again in December; only with better experience, and understanding of the areas to focus on.

shaqazoolu

Well, now that yesterday is done, I can go back to wondering what to do next. I sat for the CISM and I really don't know what to think. I think i have a shot at passing, but it's a bit of an outside shot.

To start off with, I had been doing "risk assessments" as a consultant for a while leading up to this test, so I had a bit of experience going into it. However, I didn't even find out I was being required to take it until about a week before the exam sign up deadline, which was early April. The guy that proofs my risk assessment reports before the customer gets them is a CISM and he used to rip my reports apart for not doing things I had never been taught to do. It used to get a little annoying, until I started studying for this exam, when I realized he was pretty much already holding me to the CISM standard. If I pass, I am going to go ahead and say that was probably the deciding factor in my score.

In addition to that training, I had the CISM study manual and I bought the practice test engine. I am a member of IEEE and had every intention of using the CISM material there as well, but I just never got around to it. I was pretty busy with traveling for work and such so I really didn't start studying very hard until Memorial Day weekend. I read through about 85% of the study manual that weekend, and spent the last few weeks taking practice tests. Towards the end, I was averaging about 75%-80% on the practice exams. I personally felt like the real questions were MUCH more difficult than the practice exams. I also found myself struggling between picking the answer that would be suitable in real life versus the answer I knew ISACA was looking for.

In the class, Dynamik and I were the only ones taking the CISM, and he finished in like an hour because he's a freak. Of the four hours, I used about 3 hours and 40 minutes of it. I circled the answers in the book and starred the questions I didn't know the first time through, then made a 2nd pass answering the starred questions and filling in the scantron. Afterwards, I was pretty drained and unsure. Now, I'm just unsure. Whatever happens, I learned a lot regardless. The material is boring, but it is very good information if you are charged with developing and managing a security program. I think up to this point, this exam has probably taught me the most information of any other exam that I can immediately take and apply to my job. If I didn't have to do risk assessments, staying interested in this stuff enough to read all the way through it and pass would have been nearly impossible I think.

I guess the wait begins...